(Forgive the HTML: this is one of the few times where I think it’s worthwhile. This email uses color to convey information.)
So, while relaxing with a good stogie, I started mulling over the UX
problem of communicating information about encryption status,
signatures, validity, and more. I got nowhere, which is when I decided
to burn it all down and start from a clean sheet of paper.
Enigmail and GnuPG exist to provide the CIA triad. No, not the
intelligence agency — Confidentiality, Integrity, and Assurance. Those
are the three metrics we need to communicate to the user. So let’s
throw out all the language about “untrusted good signature” and start
over from scratch: let’s communicate the triad.
First things first: rename it, because only hardcore nerds understand
what CIA means. (“What’s the difference between integrity and
assurance?” is a really common question in undergraduate computer
security courses. Even computer science majors who have an interest in
this stuff, as evidenced by signing up to take a class in it, generally
don’t understand it.) I’m going to rename the triad the PAI triad:
Privacy, Authenticity, and Identity. Further, instead of giving
incredibly detailed “valid signature but the certificate has not been
validated” types of messages, let’s reduce it to binary choices. People
like binary choices: they’re easy to understand.
* *Privacy* is a binary state: yes the message was private
(encrypted), or no it was not.
* *Authenticity*//is also a binary state: we are confident the message
is authentic, or we are not.
* *Identity* is also a binary state: we are confident it came from the
specified person, or we are not.
We can present this information to the user using just three letters in
different colors—green for yes, black for no. Imagine, for instance,
that we have an untrusted good signature on an unencrypted message. We
would then put at the top of the email:
Privacy
Authenticity
Identity
Immediately, at a glance, the user can see that the message is not
private, is authentic, but we don’t know who it came from.
A good signature from a validated certificate, but no encryption, would
get marked up as—
Privacy
Authenticity
Identity
An encrypted message without a signature would get—
Privacy
Authenticity
Identity
An encrypted and signed message from an unknown certificate—
Privacy
Authenticity
Identity
And finally, an encrypted and signed message from a validated certificate—
Privacy
Authenticity
Identity
Immediately, right at-a-glance, users get the information that’s of most
use to them: is this message private? Is it authentic? Did it really
come from the person I think it did? If the user wants to know details
about why a particular message was graded in a particular way, they’d
double-click on the header and get a detailed breakdown of what factors
went into each decision. For instance, Enigmail might display a new
window that contained something like:
------------------------------------------------------------------------
* /*Privacy.*// This email was encrypted with your RSA key.
//_Click here_//to open this key in the Key Management window.
Camellia-256 was used for symmetric encryption./
* /*Authenticity.*// This email was signed; however, the
signature did not check out. The message, the signature, or
both, were altered in transit. This is not necessarily a sign
of hostile action. Sometimes messages get garbled in the
process of transmitting from one system to the next.
/
* /*Identity.*// This email claims to be from Robert J. Hansen
<[email protected]> with key ID 0xDEADBEEFDEADBEEF. However, we
do not know the signing key really belongs to this person. If
you’re certain the signing key belongs to this person, //_click
here_//and Enigmail will remember it for the future./
------------------------------------------------------------------------
… Bam. A simple UX that everyone sees, which conveys the most important
information at-a-glance. If more detailed information is needed, we
present it in human-friendly language and embed within the language
links to help people do common tasks related to keys.
Further, this UX is completely independent of the trust model used by
GnuPG. If you want to use the Web of Trust, no problem. If you have
--trust-model=always set, no problem. If you’re using TOFU, no problem.
What do y’all think?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
